[Dovecot] script to detect dictionary attacks

Benny Pedersen me at junc.eu
Sat Apr 6 15:24:13 EEST 2013


Reindl Harald skrev den 2013-04-06 13:18:

> has someone a script which can filter out dictionary attacks
> from /var/log/maillog and notify about the source-IPs?

yes i have :)

pflogsumm

> i know about fail2ban and so on, but i would like to have
> a mail with the IP address for two reasons and avoid fail2ban
> at all because it does not match in the way we maintain firewalls

its simple to make a filter that checks unknown user in postfix logs, 
its even more simple if one make syslog to sql, then postfix can live 
block that ip that sends to unknown users

> * add the IP to a distributed "iptables-block.sh" and distribute
>   it to any server with a comment and timestamp
> * write a abuse-mail to the ISP

that would be cool, lol :)


More information about the dovecot mailing list